Preconfigure fail2ban and core security services by default

2026-05-10 20:13:30 +00:00
parent be6ddf1416
commit 43734fe1b1
9 changed files with 139 additions and 35 deletions
@@ -2,11 +2,14 @@

 Standardisierter Installationsprozess fuer neue Ubuntu-LXC-Container.

-Installiert unter anderem:
- Security-Basis: `ufw`, `fail2ban`, `unattended-upgrades`, `auditd`
- Admin-Tools: `git`, `curl`, `jq`, `tmux`, `htop`
- Runtime: `nodejs`, `npm`
- CLI: `@openai/codex`
+Installiert und **direkt vorkonfiguriert**:
+- `fail2ban`: SSH/SSHD-DDoS + Recidive-Jail, UFW-Ban-Action
+- `ufw`: default deny incoming, allow outgoing, SSH-Rate-Limit, 80/443 erlaubt
+- `unattended-upgrades`: taegliche Security-Updates aktiv
+- `openssh-server`: Basishardening via `sshd_config.d`
+- `auditd`: grundlegende Audit-Regeln fuer sensible Dateien
+- `sysctl`: Kernel/Netzwerk-Hardening-Basis
+- `nodejs`, `npm`, `@openai/codex`

 ## Standardprozess nach Download

@@ -24,12 +27,24 @@ sudo ln -sf "$(pwd)/bin/sicherheit-install" /usr/local/bin/sicherheit-install
 sudo sicherheit-install
 ```

+## Wichtige Konfigurationen
+
+- `config/fail2ban/jail.local`
+- `config/ufw/after.rules`
+- `config/unattended-upgrades/20auto-upgrades`
+- `config/unattended-upgrades/50unattended-upgrades`
+- `config/ssh/sshd_config.d-sicherheit.conf`
+- `config/sysctl/99-sicherheit.conf`
+- `config/auditd/hardening.rules`
+
 ## Pruefen

 ```bash
 fail2ban-client status
+fail2ban-client status sshd
 ufw status verbose
 systemctl status unattended-upgrades --no-pager
+sshd -t
 node --version
 npm --version
 codex --help